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AMENDMENTS TO THE CLAIMS 

Listing of Claims 

The following listing of claims replaces all previous versions. 

1 . (Currently Amended) A computer system providing Internet protocol security without 

secure domain name resolution, the system comprising: 

a local domain name service (DNS) server that is communicatively coupled to a 

processor and that includes a secure Internet security protocol (IPSEC) cache, 
wherein the secure IPSEC cache comprises a plurality of cache entries, 
wherein each cache entry comprises a domain name and information that 
uniquely associates the cache entry with a particular application process or 
execution time, wherein the secure IPSEC cache is readable only by an 
Intemet protocol (IP) processing layer of an operating system that controls 
execution of an application program by the processo r, and wher e in e ach cach e 
e ntry compris e s information that imiqu e ly associat e s th e cache e ntry with a 
particular apphcation process or e x e cution time ; 

a security policy data store that is communicatively coupled to the IP processing 
layer; 

a computer-readable medium accessible to the processor and comprising one or more 
sequences of instructions which, when executed by the processor, cause the 
processor to carry out the steps of: 

receiving a message generated as a result of execution of the application 

program and that contains a domain name to be resolved by the local 
DNS server : 

storing, in a first of the cache entries, the domain name contained in the 

message and identifying information that uniquely associates the first 
cache entry with a particular application process or execution time; 

receiving a data packet from the application; 

in response to receiving the data packet fi"om the application, locating an entry 
in the secure IPSEC cache. 



50325-0594 (Seq.No. 4788) 



2 



Application of Jonathan Trostle, Ser. No. 10/023,622, Filed December 17, 2001 

Reply to Office Action 



based on the identifying information in the located cache entry, verifying that 
the domain name in the located entry matches the domain name in the 
message: 

in r e spons e to r e c e iving tho data pack e t from th e application, s e arching th e 
s e cure IPSEC cache for an ontry that match e s th e domain nam e , 
wh e rein the s e arching compris e s using th e information that uniquely 
associates the cach e entry with a particular application process or 
ex e cution time to v e rify that th e domain nam e in the entry match e s th e 
domain name contain e d in th e m e ssag e ; 

querying the security policy data store for an IPSEC policy matching the 

domain name in the located entry , wherein the IP processing layer[[s]] 
verifies that the policy matches the domain name contained in the 
message; 

in response to obtaining an IPSEC policy, applying the IPSEC policy to the 

data packet; and 
purging the matching entry from the cache. 

2. (Currently Amended) A computer system as recited in Claim 1, wh e r e in the s e cur e 
IPSEC cache compris e s a plurality of cach e e ntri e s, w herein each cache entry further 
comprises a DNS nam e , one or more corr e sponding IP addresses that correspond to 
the domain name for the entry . 

3. (Currently Amended) A computer system as recited in Claim 2, wherein the step of 
verifying that the domain name in the located entry matches the domain name 
contained in the message s e arching th e s e cur e IPSEC cach e further comprises the step 
of searching the secure IPSEC cache for an entry that matches a process identifier of 
the application program , based on th e information that uniquely associat e s the cache 
entry with a particular appUcation process or e xecution timo . 
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4. (Currently Amended) A computer system as recited in Claim 2, wherein the 
informatio n^ for each cache entry, that uniquely associates the cache entry with a 
particular application process or execution time comprises a process identifier value 
and a transaction identifier value. 

5. (Currently Amended) A computer system as recited in Claim 4, wherein the step of 
verifying that the domain name in the located entry matches the domain name 
contained in the message s e arching th e s e cur e IPSEC cach e further comprises the step 
of searching the secure IPSEC cache for an entry that matches a process and 
transaction associated with the application progra m, bas e d on th e proc e ss id e ntifi e r 
valu e and transaction id e ntifi e r value in th e cach e. 



6. (Original) A computer system as recited in Claim 1, fiirther comprising the step of 
querying the security policy database for an IPSEC policy based on an IP address that 
is resolved from the domain name received from the application program only when a 
matching cache entry is not found by searching the cache based on the domain name. 

7. (Currently Amended) A computer system as recited in Claim 1, further comprising 
the steps of: 

wherein the message is r ec e iving a request to resolve [[a DNS]] the domain name into 

network addresses; 
resolving the [[DNS]] domain name using the local DNS server, resulting in 

generating one or more network addresses corresponding to the [[DNS]] 

domain name; 

determining the identifier information that uniquely associates the request with a 

particular application process or execution time; and 
storing the DNS nam e , the network addresses , and th e identifi e r information as an 

e ntry in the first cache entry of the secure IPSEC cache. 
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8. (Currently Amended) A method for providing Intemet protocol security without 

secure domain name resolution, the method comprising the computer-implemented 
steps of: 

receiving a message generated as a result of execution of an application program and 
that contains a domain name to be resolved by the local DNS server ; 

storing, in a first cache entry of a secure Intemet security protocol (IPSEC) cache, the 
domain name contained in the message and identifying information that 
uniquely associates the first cache entry with a particular application process 
or execution time, wherein the secure IPSEC cache is communicatively 
coupled to a local domain name service (DNS) server, and wherein the secure 
IPSEC cache is readable only by an Intemet protocol (IP) processing layer of 
an operating system that controls execution of the application program, and 
wherein each cache entry comprises information that uniquely associates the 
cache entry with a particular application process or execution time: 

receiving a data packet from the application; 

in response to receiving the data packet from the application, locating an entry in the 

secure IPSEC cache: 
based on the identifying information in the located cache entry, verifying that the 

domain name in the located entry matches the domain name in the message: 

, s e arching a s e cur e Int e m e t s e curity protocol (IPSEC) cach e for an e ntry that 
match e s th e domain nam e , wh e r e in th e s e cure IPSEC cache is 
communicativ e ly coupled to a local domain nam e s e rvic e (DNS) s e rv e r, and 
wh e r e in the s e cur e IPSEC cache is readabl e only by an Int e m e t protocol (IP) 
processing layer of an operating syst e m that controls execution of th e 
application program, and wh e r e in e ach cach e entry comprises information t hat 
uniquely associat e s the cach e entry with a particular apphcation process or 
e x e cution tim e ; and further wh e r e in th e searching compris e s using the 
information that uniquely associat e s th e cach e entry with a particular 
application proc e ss or ex e cution tim e to v e rify that th e domain nam e in th e 
e ntry match e s the domain nam e contained in th e m e ssage; 
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in response to obtaining an IPSEC policy, querying a security policy data store that is 
communicatively coupled to the IP processing layer for an IPSEC policy 
matching the domain name in the located entry, wherein the IP processing 
layer[[s]] verifies that the policy matches the domain name contained in the 

message; 

applying the IPSEC policy to the data packet; and 
purging the matching entry from the cache. 

9. (Currently Amended) A method as recited in Claim 8, wh e r e in the s e cure IPSEC 
cach e compris e s a plurality of cache e ntri e s, wherein each cache entry further 
comprises a DNS nam e , one or more corresponding IP addresses that correspond to 
the domain name for the entry . 

10. (Currently Amended) A method as recited in Claim 9, wherein the step of verifying 
that the domain name in the located entry matches the domain name contained in the 
message s e arching th e s e cur e IPSEC cach e further comprises the step of searching the 
secure IPSEC cache for an entry that matches a process identifier of the application 
progra m, bas e d on the information that uniquely associat e s the cache entry with a 
particular application proc e ss or e x e cution tim e. 

1 1 . (Currently Amended) A method as recited in Claim 9, wherein the informatio n, for 
each cache entry, that uniquely associates the cache entry with a particular application 
process or execution time comprises a process identifier value and a transaction 
identifier value. 

12. (Currently Amended) A method as recited in Claim 11, wherein the step of verifying 
that the domain name in the located entry matches the domain name contained in the 
message s e arching th e secur e IPSEC cach e further comprises the step of searching the 
secure IPSEC cache for an entry that matches a process and transaction associated 
with the application progra m, based on th e proc e ss id e ntifi e r valu e and transaction 
id e ntifi e r valu e in th e cach e. 
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13. (Original) A method as recited in Claim 8, further comprising the step of querying the 
security policy database for an IPSEC poUcy based on an IP address that is resolved 
from the domain name received from the application program only when a matching 
cache entry is not found by searching the cache based on the domain name. 

14. (Currently Amended) A method as recited in Claim 8, further comprising the steps of: 
wherein the message is r e c e iving a request to resolve [[a DNS]] the domain n ame into 

network addresses; 

resolving the [[DNS]] domain name using the local DNS server, resulting in 

generating one or more network addresses corresponding to the DNS name; 

determining tiie identifier information that uniquely associates the request with a 
particular application process or execution time; and 

storing th e DNS name, the network addresses , and th e id e ntifi e r information as an 
entry in the first cache entry of the secure IPSEC cache. 

15. (Currently Amended) A computer-readable medium carrying one or more sequences 
of instructions for providing Intemet protocol security without secure domain name 
resolution, which instructions, when executed by one or more processors, cause the 
one or more processors to carry out the steps of: 

receiving a message generated as a result of execution of an appUcation program and 
that contains a domain name to be resolved by the local DNS server : 

storing, in a first cache entry of a secure Intemet security protocol (IPSEC) cache, the 
domain name contained in the message and identifying information that 
uniquely associates the first cache entry with a particular application process 
or execution time, wherein the secure IPSEC cache is communicatively 
coupled to a local domain name service (DNS) server, and wherein the secure 
IPSEC cache is readable only by an Intemet protocol (IP) processing layer of 
an operating system that controls execution of the application program, and 
wherein each cache entry comprises information that uniquely associates the 
cache entry with a particular application process or execution time: 

receiving a data packet from the application; 
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in response to receiving the data packet from the application, locating an entry in the 

secure IPSEC cache: 
based on the identifying information in the located cache entry, verifying that the 

domain name in the located entry matches the domain name in the message: 

Goarching a Gocuro Int e rnet s e curity protocol (IPSEC) cach e for an e ntry that match es 
th e domain name, wherein th e s e cur e IPSEC cache is communicativ e ly coupled to a 
local domain nam e servic e (DNS) G e r\^ e r, and wh e rein th e secur e ffSEC cach e is 
readable only by an Intern e t protocol (IP) processing layer of an op e rating syst e m that 
controls e x e cution of th e application program, and wh e r e in each cach e entry 
compris e s information that uniqu e ly associat e s th e cache entry with a particular 
application process or e x e cution tim e ; and furth e r wh e r e in th e searching compris e s 
using th e information that uniqu e ly associates th e cache e ntry with a particular 
application proc e ss or e x e cution tim e to v e rify that tho domain nam e in th e entry 
match e s th e domain nam e contained in th e messag e ; 

in response to obtaining an IPSEC poHcy, querying a security policy data store that is 
communicatively coupled to the IP processing layer for an IPSEC policy 
matching the domain name in the located entry , wherein the IP processing 
layer[[s]] verifies that the policy matches the domain name contained in the 
message; 

applying the IPSEC policy to the data packet; and 
purging the matching entry from the cache. 

16-21. (Canceled) 

22. (Currently Amended) An apparatus for providing Internet protocol security without 
secure domain name resolution, comprising: 

means for receiving a message generated as a result of execution of an application 
program and that contains a domain name to be resolved bv the local DNS 
server : 
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means for storing, in a first cache entry of a secure latemet security protocol (IPSEC) 
cache, the domain name contained in the message and identifying information 
that uniquely associates the First cache entry with a particular application 
process or execution time, wherein the secure IPSEC cache is 
communicatiyely coupled to a local domain name service (DNS) server, and 
wherein the secure IPSEC cache is readable only by an hitemet protocol (IP) 
processing layer of an operating system that controls execution of the 
application program, and wherein each cache entry comprises information that 
uniquely associates the cache entry with a particular application process or 
execution time; 

means for receiving a data packet fi"om the application; 

in response to receiving the data packet from the application, means for locating an 

entry in the secure IPSEC cache: 
based on the identifying information in the located cache entry, means for verifying 

that the domain name in the located entry matches the domain name in the 

message: 

m e ans for s e arching a s e cur e Int e m e t security protocol (IPSEC) cach e for an entry 
that matches th e domain nam e , wh e r e in the s e cur e IPSEC cach e is 
communicativ e ly coupl e d to a local domain nam e G e r\dc e (DNS) server, and 
wh e r e in th e s e cur e IPSEC cache is r e adabl e only by an Int e met protocol (IP) 
proc e ssing lay e r of an operating Gystom that controls e xecution of the 
application program, and wher e in e ach cach e e ntry comprises information that 
uniqu e ly associat e s th e cache entry with a particular application proc e ss or 
e x e cution tim e ; and wh e r e in th e means for s e arching compris e s m e ans for 
using th e information that uniquely associat e s th e cach e e ntry with a particular 
application proc e ss or e x e cution tim e to v e rify that th e domain nam e in th e 
entry match e s th e domain nam e contained in th e messag e ; 
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means for querying a security policy data store that is communicatively coupled to 

the IP processing layer for an IPSEC policy matching the domain name in the 
located entry , wherein the IP processing layer[[s]] verifies that the policy 
matches the domain name contained in the message; 

means for applying the IPSEC policy to the data packet; and 

means for purging the matching entry from the cache. 

23. (Currently Amended) An apparatus for providing Internet protocol security, without 
secure domain name resolution, for messages that are carried by a packet-switched 
data network, comprising: 

a network interface that is coupled to the data network for receiving one or more 

packet flows therefrom; 
a processor; 

one or more stored sequences of instructions which, when executed by the processor, 
cause the processor to carry out the steps of: 

receiving a message generated as a result of execution of an application program and 
that contains a domain name to be resolved bv the local DNS server : 

storing, in a first cache entry of a secure Intemet security protocol (IPSEC) cache, the 
domain name contained in the message and identifying information that 
uniquely associates the first cache entry with a particular application process 
or execution time, wherein the secure IPSEC cache is communicatively 
coupled to a local domain name service (DNS) server, and wherein the secure 
IPSEC cache is readable only bv an Intemet protocol (IP) processing layer of 
an operating system that controls execution of the appUcation program, and 
wherein each cache entry comprises information that uniquely associates the 
cache entry with a particular apphcation process or execution time: 

receiving a data packet from the application; 

in response to receiving the data packet from the application, locating an entry in the 

secure IPSEC cache: 
based on the identifying information in the located cache entry, verifying that the 

domain name in the located entry matches the domain name in the message: 
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s e arching a s e cur e Int e rn e t security protocol (IPSEC) cach e for an e ntry that match e s 
th e domain nam e , wh e r e in th e s e cur e IPSEC cach e is communicativ e ly 
coupled to a local domain nam e s e rvice (DNS) s e rv e r, and wherein the s e cur e 
IPSEC cache is r e adabl e only by an Intom e t protocol (IP) processing lay e r of 
an operating s yst e m that controls execution of the application program, and 
wherein each cache e ntry comprises information that uniquely associates the 
cache entry with a particular application process or e x e cution tim e ; and 
furth e r wh e r e in th e s e arching comprises using th e information that uniqu e ly 
associat e s th e cach e entry with a particular appUcation proc e ss or e x e cution 
tim e to v e rify that the domain nam e in the entry match e s th e domain nam e 
contain e d in th e m e ssag e ; 

in response to obtaining an IPSEC policy, querying a security policy data store that is 
communicatively coupled to the IP processing layer for an IPSEC policy 
matching the domain name in the located entry , wherein the IP processing 
layer[[s]] verifies that the policy matches the domain name contained in the 
message; 

applying the IPSEC policy to the data packet; and 
purging the matching entry firom the cache. 

24. (Currently Amended) An apparatus as recited in Claim 22, wh e r e in th e s e cur e IPSEC 
cach e compris e s a plxu-ality of cach e e ntries, w herein each cache entry further 
comprises a DNS nam e , one or more corr e sponding IP addresses that correspond to 
the domain name for the entrv . 

25. (Currently Amended) A apparatus as recited in Claim 24, wherein the means for 
verifying that the domain name in the located entrv matches the domain name 
contained in the message s e arching th e s e cure IPSEC cache further comprises means 
for searching the secure IPSEC cache for an entry that matches a process identifier of 
the application program , bas e d on th e information that uniquely associat e s th e cach e 
entry with a particular application proc e ss or e xecution tim e. 
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26. (Currently Amended) A apparatus as recited in Claim 25, wherein the information^ 
for each cache entry, that uniquely associates the cache entry with a particular 
application process or execution time comprises a process identifier value and a 
transaction identifier value. 



27. (Currently Amended) A apparatus as recited in Claim 26, wherein the means for 
verifying that the domain name in the located entry matches the domain name 
contained in the message s e arching th e secur e IPSEC cach e further comprises means 
for searching the secure IPSEC cache for an entry that matches a process and 
transaction associated with the application progra m, based on the proc e ss id e ntifi e r 
valu e and transaction identifi e r valu e in th e cach e. 



28. (Previously Presented) A apparatus as recited in Claim 22, fiirther comprising means 
for querying the security policy database for an IPSEC policy based on an IP address 

that is resolved from the domain name received from the application program only 
when a matching cache entry is not found by searching the cache based on the 
domain name. 



29. (Currently Amended) An apparatus as recited in Claim 22, wherein the message is a 
request to resolv the domain name into network addresses: and further comprising: 
m e ans for r e c e iving a r e qu e st to resolv e a DNS nam e into n e twork addr e ss e s; 
means for resolving the [[DNS]] domain name using the local DNS server, resuhing 

in generating one or more network addresses corresponding to the [[DNS]] 

domain name; 

means for determining identifier information that uniquely associates the request with 

a particular application process or execution time; and 
means for storing the DNS nam e , the network addresses , and the id e ntifi e r 

information as an entry in the secure IPSEC cache. 
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